Your USB drive could be hiding some awful new malware

Someone connecting a USB Drive to their laptop.
Image credit: Honeywell (Image credit: Honeywell)

A rampart new malware strain exploiting USB drives is quickly spreading across the globe, experts have warned. 

Cybersecurity firm Check Point published a report outlining how a Chinese state-sponsored group called as Camaro Dragon (also known as Mustang Panda and LuminousMoth) is spreading the malware on a wide scale via infected USB drivers. 

WispRider is the name of the main variant being used, which has undergone numerous iterations. It uses the HopperTrick launcher to propagate via USB, and also has a feature to bypass SmadAV, a popular antivirus solution in Southeast Asia.

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 


This region is where the malware began operating, but it then self-propagated through USB drives to other regions of the world. In early 2023, the Check Point Incident Response Team (CPIRT) team found the malware had reached a European healthcare institution.

WispRider is also capable of DLL sideloading, using components belonging to security software, such as G-DATA Total Security, and those belonging to Electronic Arts and Riot Games, two giants in the gaming world. Check Point notified the above companies that attackers had used their respective software.

Check Point says, "The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns."

It claims to have found USB malware infections in other countries around the world, including Myanmar, South Korea, Great Britain, India and Russia.

Check Point also notes that WispRider aligns with other tools used by Camaro Dragon recently, such as a backdoor called TinyNote and a router firmware implant called HorseShell. "All of them share infrastructure and operational goals," claims Check Point.

Since the case witnessed at the European hospital, the malware has been upgraded. Now it has a more unified structure, whereby the USB infector, evasions module and backdoor are combined into one payload, as opposed to a separate set of legitimate executables and side-loaded DLLs.

The coding of the malware components has also been revamped, with newer versions of all components now written in C++, whereas the USB launcher was written in Delphi. 

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.